Where WAF fits into the data path
Web application firewalls (WAFs) are an integral component of application protection. They are excellent at protection against the OWASP (The Open Web Application Security Project) Top 10 and are a go-to solution for addressing zero-day vulnerabilities – but where do you put them?
Every day data paths offer various insertion points at which a WAF can be deployed, says Martin Walshaw, senior systems engineer at F5. "However, we need to think carefully about where the WAF should be plugged in. According to a recent blog from F5, some points are less efficient, some introduce points of failure, and others introduce architectural debt that incur heavy interest penalties over time."
F5 recommends that businesses should ideally be deploying WAF behind the load balancing tier, which optimises for utilisation, performance and reliability, while providing the necessary protection for all apps, including those exposed on the Internet. The following are important considerations to debate when considering WAF placement on the data path:
Learn, segment and protect: securing your organisation in an IOT world
Where WAF is concerned, utilisation becomes a key factor in operational costs as higher utilisation, which is inherent to a WAF solution, leads to additional resource requirements, which consume budgets.
While many WAFs scale well, they can still be overwhelmed by flash traffic or attacks, so if the choice is to place the WAF in front of the load balancing tier, companies will need another load balancing tier to scale separately. Without this, you risk impact performance and availability.
Not only that, but performance will be affected by choosing to place in front – to increase performance and save time you will want to eliminate layers of network from the equation rather than adding to it and that means deploying your WAF behind the load balancing tier.
This is a key requirement for security solutions in the data path. If you cannot inspect the entire flow, much of the security functions boasted by a WAF become moot. When the WAF is behind the load balancing tier, SSL/TLS (secure sockets layer/transport layer security) decryption happens before traffic is passed to the WAF for inspection.
"While these are all valid considerations, a WAF can fit pretty much anywhere you want it to fit," says Anton Jacobsz, managing director at Networks Unlimited, a value-added distributor of F5 in Africa.
"As F5 notes, it could sit at the edge of the network, if that's where you want it. However, best practice to optimise your architecture for performance, utilisation and reliability is to position it behind the load balancing tier and close to the application it's protecting."